E-Banking Workprogram · Web viewDescribe the operational organization structure for technology operations and assess its effectiveness in supporting the business activities of the

APPENDIX A: EXAMINATION PROCEDURES

EXAMINATION OBJECTIVES: Assess the quality and effectiveness of the institution’s technology operations. These procedures will help disclose the adequacy of risk management of, and controls around, the institution’s technology operations.

Examiners may choose to use only particular components of the workprogram based upon the size, complexity, and nature of the institution’s business or upon a risk-focused examination plan.

The objectives and procedures are divided into Tier I and Tier II:

▪ Tier I assesses an institution’s process for identifying and managing risk.▪ Tier II provides additional verification where risk warrants it.

Tier I and Tier II are a tool set examiners will use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessary to support examination objectives. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while including the operations-related issues found in other workprograms.

TIER I OBJECTIVES AND PROCEDURESWork Paper

Reference Comment

Objective 1: Determine scope and objectives for reviewing the technology operations.

1. Review past reports for outstanding issues or previous problems. Consider:

▪ Regulatory reports of examination;▪ Internal and external audit reports,

including third-party review reports;

▪ Any available and applicable reports on entities providing services to the institution or shared application software reviews (SASR) on software it uses; and

2. Review management’s response to

FFIEC IT EXAMINATION HANDBOOK Page 1

Work Paper Reference Comment

issues raised during the previous regulatory examination and during internal and external audits performed since the last examination. Consider:

▪ Adequacy and timing of corrective action;

▪ Resolution of root causes rather than just specific issues; and

▪ Existence of any outstanding issues.

3. Interview management and review the operations information request to identify:

▪ Any significant changes in business strategy or activities that could affect the operations environment;

▪ Any material changes in the audit program, scope, or schedule related to operations;

▪ Changes to internal operations infrastructure, architecture, information technology environment, and configurations or components;

▪ Key management changes;▪ Changes in key service providers

(core banking, transaction processing, website/Internet banking, voice and data communication, back-up/recovery, etc.) and software vendor listings; and

▪ Any other internal or external factors that could affect the operations environment.



Objective 2: Determine the quality of IT operations oversight and support provided by the board of directors and senior management.

1. Describe the operational organization structure for technology operations and assess its effectiveness in supporting the business activities of the institution.

2. Review documentation that describes, or discuss with management, the technology systems and operations (enterprise architecture) in place to develop an understanding of how these systems support the institution’s business activities. Assess the adequacy of the documentation or management’s ability to knowledgeably discuss how technology systems support business activities.

3. Review operations management MIS reports. Discuss whether the frequency of monitoring or reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS adequately addresses:

▪ Response times and throughput;▪ System availability and/or down

time;▪ Number, percentage, type, and

causes of job failures; and▪ Average and peak system

utilization, trends, and capacity.

Objective 3: Determine whether senior management and the board periodically conduct a review to identify or validate previously identified risks to IT operations, quantify the



probability and impact of the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the control environment.

1. Obtain documentation of or discuss with senior management the probability of risk occurrence and the impact to IT operations. Evaluate management’s risk assessment process.

2. Obtain copies of, and discuss with senior management, the reports used to monitor the institution’s operations and control environment. Assess the adequacy and timeliness of the content.

3. Determine whether management coordinates the IT operations risk management process with other risk management processes such as those for information security, business continuity planning, and internal audit.

Objective 4: Obtain an understanding of the operations environment.

1. Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other descriptions of hardware and software. Consider the following:

▪ Computer equipment – vendor and model number;

▪ Network components;▪ Names, release dates, and version

numbers of application(s), operating system(s), and utilities; and



▪ Application processing modes:· On-line/real time;· Batch; and· Memo post.

2. Review systems diagrams and topologies to obtain an understanding of the physical location of and interrelationship between:

▪ Hardware; ▪ Network connections (internal and

external); ▪ Modem connections; and▪ Other connections with outside

third parties.

3. Obtain an understanding of the mainframe, network, and telecommunications environment and how the information flows and maps to the business process.

4. Review and assess policies, procedures, and standards as they apply to the institution’s computer operations environment and controls.

Objective 5: Determine whether there are adequate controls to manage the operations-related risks.

1. Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools



such as:

▪ Performance management and capacity planning;

▪ User support processes;▪ Project, change, and patch

management;▪ Conversion management;▪ Standardization of hardware,

software, and their configuration;▪ Logical and physical security;▪ Imaging system controls;▪ Environmental monitoring and

controls; and▪ Event/problem management.

2. Determine whether management has implemented appropriate daily operational controls and processes including:

▪ Scheduling systems or activities for efficiency and completion;

▪ Monitoring tools to detect and preempt system problems or capacity issues;

▪ Daily processing issue resolution and appropriate escalation procedures;

▪ Secure handling of media and distribution of output; and

▪ Control self-assessments.

3. Determine whether management has implemented appropriate human resource management. Assess whether:

▪ The organizational structure is appropriate for the institution’s



business lines;▪ Management conducts ongoing

background checks for all employees in sensitive areas;

▪ Segregation and rotation of duties are sufficient;

▪ Management has policies and procedures to prevent excessive employee turnover; and

▪ There are appropriate policies and controls concerning termination of operations personnel.

Objective 6: Review data storage and back-up methodologies, and off-site storage strategies.

1. Review the institution’s enterprise-wide data storage methodologies. Assess whether management has appropriately planned its data storage process, and that suitable standards and procedures are in place to guide the function.

2. Review the institution’s data back-up strategies. Evaluate whether management has appropriately planned its data back-up process, and whether suitable standards and procedures are in place to guide the function.



3. Review the institution’s inventory of data and program files (operating systems, purchased software, in-house developed software) stored on and off-site. Determine if the inventory is adequate and whether management has an appropriate process in place for updating and maintaining this inventory.

4. Review and determine if management has appropriate back-up procedures to ensure the timeliness of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up media.

5. Identify the location of the off-site storage facility and evaluate whether it is a suitable distance from the primary processing site. Assess whether appropriate physical controls are in place at the off-site facility.

6. Determine whether management performs periodic physical inventories of off-site back-up material.

7. Determine whether the process for regularly testing data and program back-up media is adequate to ensure the back-up media is readable and that restorable copies have been produced.

Objective 7: Determine if adequate environmental monitoring and controls exist.



1. Review the environmental controls and monitoring capabilities of the technology operations as they apply to:

▪ Electrical power;▪ Telecommunication services;▪ Heating, ventilation, and air

conditioning;▪ Water supply;▪ Computer cabling;▪ Smoke detection and fire

suppression;▪ Water leaks; and▪ Preventive maintenance.

Objective 8: Ensure appropriate strategies and controls exist for the telecommunication services.

1. Assess whether controls exist to address telecommunication operations risk, including:

▪ Alignment of telecommunication architecture and process with the strategic plan;

▪ Monitoring of telecommunications operations such as downtime, throughput, usage, and capacity utilization; and

▪ Assurance of adequate availability, speed, and bandwidth/capacity.



2. Determine whether there are adequate security controls around the telecommunications environment, including:

▪ Controls that limit access to wiring closets, equipment, and cabling to authorized personnel;

▪ Secured telecommunications documentation;

▪ Appropriate telecommunication change control procedures; and

▪ Controlled access to internal systems through authentication.

3. Discuss whether the telecommunications system has adequate resiliency and continuity preparedness, including:

▪ Telecommunications system capacity;

▪ Telecommunications provider diversity;

▪ Telecommunications cabling route diversity, multiple paths and entry points; and

▪ Redundant telecommunications to diverse telephone company central offices.

Objective 9: Ensure the imaging systems have an adequate control environment.



1. Identify and review the institution’s use of item processing and document imaging solutions and describe the imaging function.

▪ Describe or obtain the system data flow and topology.

▪ Evaluate the adequacy of imaging system controls including the following:· Physical security;· Data security;· Documentation;· Error handling;· Program change procedures;· System recoverability; and · Vital records retention.

2. Evaluate the adequacy of controls over the integrity of documents scanned through the system and electronic images transferred from imaging systems (accuracy and completeness, potential fraud issues).

3. Review and assess the controls for destruction of source documents (e.g., shredded) after being scanned through the imaging system.

4. Determine whether management is monitoring and enforcing compliance with regulations and other standards, including if imaging processes have been reviewed by legal counsel.



5. Assess to what degree imaging has been included in the business continuity planning process, and if the business units reliant upon imaging systems are involved in the BCP process.

6. Determine if there is segregation of duties where the imaging occurs.

Objective 10: Determine whether an effective event/problem management program exists.

1. Describe and assess the event/problem management program’s ability to identify, analyze, and resolve issues and events, including:

▪ Escalation of operations disruption to declaration of a disaster; and

▪ Collaboration with the security and information security functions in the event of a security breach or other similar incident.



2. Assess whether the program adequately addresses unusual or non-routine activities, such as:

▪ Production program failures;▪ Production reports that do not

balance;▪ Operational tasks performed by

non-standard personnel;▪ Deleted, changed, modified,

overwritten, or otherwise compromised files identified on logs and reports;

▪ Database modifications or corruption; and

▪ Forensic training and awareness.

3. Determine whether there is adequate help desk support for the business lines, including:

▪ Effective issue identification;▪ Timely problem resolution; and▪ Implementation of effective

preventive measures.

Objective 11: Ensure the items processing functions have an adequate control environment.



1. Assess the controls in place for processing of customer transactions, including:

▪ Transaction initiation and data entry;

▪ Microfilming, optical recording, or imaging;

▪ Proof operations;▪ Batch processing;▪ Balancing;▪ Check in-clearing;▪ Review and reconcilement;▪ Transaction controls; and▪ Terminal entry.

CONCLUSIONS

Objective 12: Discuss corrective action and communicate findings.

1. Determine the need to proceed to Tier II procedures for additional review related to any of the Tier I objectives.

2. From the procedures performed, including any Tier II procedures performed:

▪ Document conclusions related to the effectiveness and controls in the operations environment; and

▪ Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the effectiveness of the operations controls.



3. Review your preliminary conclusions with the examiner in charge (EIC) regarding:

▪ Violations of law, rulings, regulations;

▪ Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and

▪ Noncompliance with supervisory guidance.

4. Discuss your findings with management and obtain proposed corrective action. Relay those findings and management’s response to the EIC.

5. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the FFIEC report of examination.

6. Develop an assessment of operations sufficient to contribute to the determination of the Support and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating.

7. Organize your work papers to ensure clear support for significant findings and conclusions.


TIER II OBJECTIVES AND PROCEDURESThe Tier II examination procedures for operations provide additional verification procedures to evaluate the effectiveness of a financial institution’s technology operations. They also enable the examiner to identify potential root causes of weaknesses. These procedures may be used in their entirety or selectively, depending upon the scope of the examination and the need for additional verification. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while including the operations-related issues found in other workprograms.

The procedures provided below are not requirements for control implementation. The selection of controls and control implementation should be guided by the risks facing the institution's operations environment and the size and complexity of the technology operations. Thus, the controls necessary for any single institution or any area of an institution may differ based on size and complexity of operations.


A. OPERATING ENVIRONMENT

1. Review the process in place to ensure the system inventories remain accurate and reflect the complete enterprise, including:

▪ Computer equipment (mainframes, midranges, servers, and standalone):· Vendor, model and type;· Operating system and

release/version;· Processor capability (millions of

instructions per second [MIPS], etc.);

· Memory;· Attached storage;· Role;· Location, IP address where

applicable, and status (operational/not operational);



and· Application processing mode or

context.▪ Network devices:

· Vendor, model, and type;· IP address;· Native storage (random access

memory);· Hardware revision level;· Operating systems; and· Release/version/patch level.

▪ Software:· Type or application name;· Manufacturer and vendor;· Serial number;· Version level;· Patch level; and· Number of licenses owned and

copies installed.

B. CONTROLS POLICIES, PROCEDURES AND PRACTICES

1. Determine if supervisory personnel review the console log and retain it in safe storage for a reasonable amount of time to provide for an audit trail.

1.

C. STORAGE/BACK-UP

▪ Review the implemented storage options and architectures for critical applications to ensure they are suitable and effective.

▪ Ensure data storage administrators



manage storage from the perspective of the individual applications, so that storage monitoring and problem resolution addresses the unique issues of the specific business lines.

3. If a tape management system is in use, verify that only appropriate personnel are able to override its controls.

4. Determine if management has adequate off-site storage of:

▪ Operations procedures manuals; ▪ Shift production sheets and logs;

and▪ Run instructions for corresponding

shift production sheets.

D. ENVIRONMENTAL MONITORING AND CONTROL

1. Assess whether the identified environmental controls and monitoring capabilities can detect and prevent disruptions to the operations environment and determine whether:

▪ Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator);

▪ Sufficient back-up telecommunications feeds are available;

▪ HVAC systems are adequate and can operate using the back-up power source;

▪ Computer cabling is documented, organized, labeled, and protected;

▪ The operations center is equipped



with an adequate smoke detection and fire suppression system and if it is designed to minimize or prevent damage to computer equipment if activated;

▪ Appropriate systems have been installed for detecting and draining water leaks before equipment is damaged;

▪ Management schedules and performs preventive maintenance in a reliable and secure manner that minimizes disruption to the operating environment; and

▪ Employee training for the use of various monitoring and control systems is adequate.

E. PHYSICAL SECURITY

1. Review and determine whether the identified physical security measures are sufficient to reasonably protect the operations center’s human, physical, and information assets. Consider whether:

▪ The operations center is housed in a sound building with limited numbers of windows and external access points;

▪ Security measures are deployed in a zoned and layered manner;

▪ Management appropriately trains employees regarding security policies and procedures;

▪ Perimeter if securities measures (e.g. exterior lighting, gates,



fences, and video surveillance) are adequate;

▪ Doors and other entrances are secured with mechanical or electronic locks;

▪ Guards (armed or unarmed) are present. Also determine if they are adequately trained, licensed, and subjected to background checks;

▪ There are adequate physical access controls that only allow employees access to areas necessary to perform their job;

▪ Management requires picture ID badges to gain access to restricted areas. Determine whether more sophisticated electronic access control devices exist or are necessary;

▪ Management adequately controls and supervises visitor access through the use of temporary identification badges or visitor escorts;

▪ Doors, windows, and other entrances and exits are equipped with alarms that notify appropriate personnel in the event of a breach and whether the institution uses internal video surveillance and recording;

▪ Personnel inventory, label, and secure equipment;

▪ Written procedures for approving and logging the receipt and removal of equipment from the premises are adequate;

▪ Confidential documents are



shredded prior to disposal; and▪ Written procedures for preventing

information assets from being removed from the facility are adequate.

F. EVENT/PROBLEM MANAGEMENT

1. Determine whether there is adequate documentation to support a sound event/management program, including:

▪ Problem resolution logs; ▪ Logs indicating personnel are

following requirements in operations procedures manual(s);

▪ Problem resolution notifications to other departments;

▪ Training records indicating operations personnel training for:· Business continuity event

escalation procedures;· Security event escalation

procedures; and· Unusual activity resolution

procedures.▪ Historical records of:

· Business continuity event escalation;

· Security event escalation; and· Unusual activity event and

corresponding resolution.

2. Determine whether posted emergency procedures address:

▪ Personnel evacuation; ▪ Shutting off utilities;



▪ Powering down equipment;▪ Activating and deactivating fire

suppression equipment; and▪ Securing valuable assets.

3. Determine whether emergency procedures are posted throughout the institution.

4. Assess whether employees are familiar with their duties and responsibilities in an emergency situation and whether an adequate employee training program has been implemented.

5. Determine if the institution periodically conducts drills to test emergency procedures.

G. HELP DESK/USER SUPPORT PROCESSES

1. Evaluate whether MIS is appropriate for the size and complexity of the institution.

▪ Determine whether effective an MIS is in place to monitor the volume and trend in key metrics, missed SLAs, impact analysis, root cause analysis, and action plans for unresolved issues.

▪ Assess whether action plans identify responsible parties and time frames for corrective action;

2. Determine if the technology used to manage help desk operations is commensurate with the size and complexity of the operations. Consider:

▪ Help desk access;▪ Logging and monitoring of issues;



▪ Automated event/problem logging and tracking process for issues that cannot be resolved immediately; and

▪ Automated alerts when issues are in danger of not being resolved within the SLA requirements, or alternatively, the effectiveness of the manual tracking processes.

3. Determine whether user authentication practices are commensurate with the level of risk and whether the types of authentication controls used by the help desk are commensurate with activities performed.

4. Determine whether the quality of MIS used to manage help desk operations is commensurate with the size and complexity of the institution. Consider the need for metrics to monitor issue volume trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates.

5. Determine whether the institution uses risk-based factors to prioritize issues. Identify how the institution assigns severity ratings and prioritizations to issues received by the call center.

6. Assess management’s effectiveness in using help desk information to improve overall operations performance.

▪ Identify whether management has effective tools and processes in place to effectively identify systemic or high-risk issues.

▪ Determine whether management identifies systemic or high-risk



issues and whether it has an effective process in place to address these issues. Effective processes would include impact and root cause analysis, effective action plans, and monitoring processes.

H. ITEMS PROCESSING

1. Determine if there are adequate controls around transaction initiation and data entry, including:

▪ Daily log review by the supervisor including appropriate sign-off;

▪ Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.);

▪ Separation of duties;▪ Limiting operation of equipment to

personnel who do not perform conflicting duties;

▪ Balancing of proof totals to bank transmittals;

▪ Maintaining a log of cash letter balances for each institution;

▪ Analyzing out-of-balance proof transactions to determine if personnel identify discrepancies and adjust and document them on proof department correction forms. Also determine if the supervisor approves the forms;

▪ Balancing cash letter totals to the cash letter recap; and

▪ Daily management review of operation reports from the shift



supervisors.

2. Determine if the controls around in-clearings are adequate, including:

▪ Courier receipt logs completion;▪ Approval of general ledger tickets

by a supervisor or lead clerk;▪ Input and reporting of captured

items in a system-generated report with totals balanced to the in-clearing cash letter;

▪ Analyzing and correcting rejected items;

▪ Logging of suspense items sent to the originating institution for resolution;

▪ Approval of suspense items by a supervisor;

▪ Timely transmission of the capture files; and

▪ Captured paid items that are securely maintained or returned to the client.

3. Determine if there are adequate controls for exception processing, including:

▪ Adequate and timely review of exception and management reports including supporting documentation;

▪ Accounting for exception reports from client institutions;

▪ Verification of client totals of return items to item processing site totals;

▪ Prior approval for items to be paid and sent to the proof department for processing;



▪ Accounting and physical controls for return item cash letters and return items being sent to Federal Reserve or other clearinghouse; and

▪ Filming of return item cash letters and return items prior to being shipped to the Federal Reserve or other clearinghouse.

4. Determine the adequacy of controls for statement processing, including:

▪ Logging and investigation of unresolved discrepancies; and

▪ Supervisor review of the discrepancy log.

I. IMAGING SYSTEMS

1. Review and evaluate the imaging system. Determine:

▪ How the system communicates with the host;

▪ The system’s capacity and future growth capability;

▪ Whether the topology is based on a mainframe, midrange, or PC;

▪ The vendor;▪ The imaging standard being used;

and▪ The document conversion process.

2. Review and evaluate back-up and recovery procedures.

3. Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan only defective images?



4. Review and evaluate the process and controls over document indexing. Does the system index documents after each one is scanned or after all documents are scanned?

5. Review and evaluate whether imaging hardware and software are interchangeable with that of other vendors. If they are, does management utilize normal processes or procedures when making changes or repairs? If they are not, has management identified alternate solutions should the current imaging hardware and software become unavailable?

5. Review and evaluate the retention period for source documents. Assess whether the period complies with the laws of all states within which the institution operates. Has management consulted with attorneys to consider the legal ramifications of destroying source documents?

7. Review and evaluate the access security controls, with particular attention to the following:

▪ Data security administrator access;▪ Controls over electronic image

files;▪ Controls over the image index to

prevent over-writing an image, altering of images, or insertion of fraudulent images;

▪ Controls over the index file to prevent the file from being tampered with or damaged; and

▪ Encryption of image files on production disks and on back-up



media.

Examiner Date

Reviewer’s Initials


Documents

E-Banking Workprogram · Web viewDescribe the operational organization structure for technology operations and assess its effectiveness in supporting the business activities of the